[BreachExchange] Cyber Security Roundup for December 2018

Destry Winant destry at riskbasedsecurity.com
Fri Jan 4 09:08:03 EST 2019


https://securityboulevard.com/2019/01/cyber-security-roundup-for-december-2018-2/

The final Cyber Security Roundup of 2018 concludes reports of major
data breaches, serious software vulnerabilities and evolving cyber
threats, so pretty much like the previous 11 months of the year.

5.3 millions users of “make your own avatar” app Boomoji had their
accounts compromised, after the company reportedly didn’t secure their
internet connected databases properly. “Question and Answer” website
Quora also announced the compromise of 100 million of its user
accounts following a hack.

A large data breach reported in Brazil is of interest, a massive 120
million Brazilian citizens personal records were compromised due to a
poorly secured Amazon S3 bucket. This is not the first mass data
breach caused by an insecure S3 bucket we’ve seen in 2018, the lesson
to be learnt in the UK, is to never assume or take cloud security for
granted, its essential practice to test and audit cloud services
regularly.

Amongst the amazing and intriguing space exploration successes
reported by NASA in December, the space agency announced its
employee’s personal data may had been compromised. Lets hope poor
security doesn’t jeopardise the great and highly expensive work NASA
are undertaking.

It wouldn’t be normal for Facebook not to be in the headlines for poor
privacy, this time Facebook announced a Photo API bug which exposed
6.8 million user images

Away from the political circus that is Brexit, the European Parliament
put into a law a new Cybersecurity Act. Because of the Brexit making
all the headlines, this new law may have gone under the radar, but it
certainly worth keeping an eye on, even after UK leaves the EU. The EU
Parliament has agreed to increase the budget for the ENISA (Network &
InfoSec) agency, which will be rebranded as the “EU Agency for
Cybersecurity”. The Cybersecurity Act will establish an EU wide
framework for cyber-security certifications for online services and
customer devices to be used within the European Economic Area, and
will include IoT devices and critical infrastructure technology.
Knowing the EU’s love of regulations, I suspect these new best
practice framework and associated accreditations to be turned into
regulations further down the line, which would impact any tech
business operating in European Union.

The UK Parliament enacted the “The Health and Social Care (National
Data Guardian) Act”, which also went under the radar due to all the
Brexit political noise. The act requires the appointment of a data
guardian within England and Wales. The data guardian will publish
guidance on the processing of health and adult social care data for
use by public bodies providing health or social care services, and
produce an annual report.

Chinese telecoms giant Huawei had plenty of negative media coverage
throughout December, with UK government pressuring BT into not using
Huawei kit within BT’s new 5G network, due to a perceived threat to
UK’s future critical national infrastructure posed by the Chinese
stated-backed tech giant.  The UK Defence Secretary Gavin Williamson
said he had “very deep concerns” about Huawei being involved in new UK
mobile network.


More information about the BreachExchange mailing list